Skip to content

chore(ci): add Dependabot config and workflow permissions#377

Merged
igerber merged 2 commits intomainfrom
gh-hardening
Apr 25, 2026
Merged

chore(ci): add Dependabot config and workflow permissions#377
igerber merged 2 commits intomainfrom
gh-hardening

Conversation

@igerber
Copy link
Copy Markdown
Owner

@igerber igerber commented Apr 25, 2026

Summary

  • Add .github/dependabot.yml covering pip (root), cargo (rust/), and GitHub Actions ecosystems on a weekly schedule. Minor/patch bumps group into one PR per ecosystem; majors stay individual.
  • Declare workflow-scoped permissions: contents: read on ci-gate.yml, notebooks.yml, and rust-test.yml. These workflows previously inherited the repo default (currently read), which is safe today but would silently widen if the default ever flipped.
  • publish.yml and ai_pr_review.yml already declare per-job permissions: and are unchanged.

Methodology references (required if estimator / math changes)

  • N/A — CI configuration only, no estimator or math changes.

Validation

  • All four YAML files parse cleanly via yaml.safe_load.
  • No code paths touched; no test runs required.

Security / privacy

  • No secrets/PII in this PR.

@igerber @claude
chore(ci): add Dependabot config and least-privilege workflow permiss…
29f4368 
…ions

- Add .github/dependabot.yml covering pip (root), cargo (rust/), and
  github-actions ecosystems on a weekly schedule. Minor/patch updates
  group into one PR per ecosystem; major bumps stay individual.
- Declare workflow-scoped `permissions: contents: read` on ci-gate,
  notebooks, and rust-test workflows so they don't silently inherit
  broader scopes if the repo default is ever changed.

publish.yml and ai_pr_review.yml already declare per-job permissions
and are unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 25, 2026

Overall Assessment

✅ Looks good — no unmitigated P0/P1 findings. I found one P3 least-privilege hardening nit in ci-gate.yml.

Executive Summary

  • Diff scope is CI/dependency automation only (.github/dependabot.yml, .github/workflows/*.yml); no estimator, weighting, variance/SE, identification, or default-behavior code changed, so no methodology contract is affected.
  • .github/dependabot.yml:L1-L46 uses valid Dependabot structure and semantics: required keys are present, / is the correct directory for GitHub Actions scanning, weekly day: monday is valid, and groups.update-types: [minor, patch] leaves majors unmatched and therefore individual. (docs.github.com)
  • Adding explicit workflow-level permissions is a net hardening change because explicit scopes override repo defaults and unspecified scopes become none; notebooks.yml and rust-test.yml both use actions/checkout, which recommends contents: read. (docs.github.com)
  • I parsed all four YAML files locally with yaml.safe_load; residual risk is limited to GitHub-hosted runtime behavior that cannot be exercised here.

Methodology

  • No findings. I checked docs/methodology/REGISTRY.md:L1-L40 for scope, and the diff only touches .github configuration: .github/dependabot.yml:L1-L46, .github/workflows/ci-gate.yml:L1-L23, .github/workflows/notebooks.yml:L1-L70, and .github/workflows/rust-test.yml:L1-L193.

Code Quality

  • No findings. The YAML changes are small, readable, and parsed cleanly locally.

Performance

  • No findings introduced by this PR.

Maintainability

  • No findings. The Dependabot groups are explicit, and the new workflow permissions remove reliance on repository-default token behavior. (docs.github.com)

Tech Debt

  • No new findings. The existing low-priority label/unlabel retrigger issue for notebooks.yml and rust-test.yml remains tracked in TODO.md:L119 and is unchanged by this PR.

Security

  • P3 — Impact: .github/workflows/ci-gate.yml:L8-L9 still grants repository read access even though the only job logic at .github/workflows/ci-gate.yml:L16-L23 reads event metadata and prints an error. Concrete fix: change that workflow to permissions: {}; keep contents: read in notebooks.yml and rust-test.yml because those workflows use actions/checkout. (docs.github.com)

Documentation/Tests

  • No findings. No methodology or user-facing docs are needed for a CI-only change; local YAML parse validation is appropriate for scope, though full workflow execution would still need GitHub Actions.

@igerber @claude
chore(ci): drop contents:read on ci-gate (no checkout, event-only)
5404b12 
ci-gate.yml has no actions/checkout step and only reads label metadata
from github.event context, which doesn't require a token scope. Drop
to permissions: {} for true least-privilege; notebooks.yml and
rust-test.yml retain contents: read because they checkout.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@igerber
Copy link
Copy Markdown
Owner Author

igerber commented Apr 25, 2026

/ai-review

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 25, 2026

🔁 AI review rerun (requested by @igerber)

Head SHA: 5404b12777caa5fd9811485db9a1a59b414bdf7b

Overall Assessment
✅ Looks good - no unmitigated P0/P1 findings.

Executive Summary

  • Scope is CI/dependency automation only: .github/dependabot.yml:L1-L46, .github/workflows/ci-gate.yml:L1-L22, .github/workflows/notebooks.yml:L1-L70, and .github/workflows/rust-test.yml:L1-L193. No estimator, weighting, variance/SE, identification, or default-behavior code changed.
  • Re-review note: the prior least-privilege P3 on ci-gate is resolved. ci-gate now uses permissions: {} at .github/workflows/ci-gate.yml:L8-L22, which disables all GITHUB_TOKEN scopes; GitHub also documents that once any permission is specified, all unspecified scopes become none. (docs.github.com)
  • notebooks.yml and rust-test.yml now pin GITHUB_TOKEN to contents: read at .github/workflows/notebooks.yml:L23-L70 and .github/workflows/rust-test.yml:L22-L193, matching the actions/checkout recommended permission set. (github.com)
  • .github/dependabot.yml:L1-L46 matches current Dependabot docs: the required keys are present, directory: "/" is the documented setting for github-actions, and grouping only minor/patch updates leaves major bumps as individual PRs. The repo's Python manifest is a PEP 621 pyproject.toml at pyproject.toml:L1-L60, which the pip ecosystem supports, and the Rust manifest exists at rust/Cargo.toml:L1-L43. (docs.github.com)
  • All four changed YAML files parsed successfully in local yaml.safe_load validation.
  • The existing label/unlabel retrigger inefficiency remains tracked in TODO.md:L119-L119 and is unchanged by this PR.

Methodology

  • No findings. Severity: none. Impact: docs/methodology/REGISTRY.md:L1-L30 covers estimator methodology, but this diff only changes .github automation files, so no methods are affected. Concrete fix: none.

Code Quality

  • No findings. Severity: none. Impact: the changed YAML is small, readable, and parsed cleanly in local validation. Concrete fix: none.

Performance

  • Severity: P3 informational. Impact: the low-priority re-trigger-on-unrelated-label-events behavior for .github/workflows/notebooks.yml and .github/workflows/rust-test.yml remains tracked in TODO.md:L119-L119; this PR neither fixes nor worsens it. Concrete fix: none for this PR.

Maintainability

  • No findings. Severity: none. Impact: declaring workflow permissions inline makes token scope explicit instead of depending on repository defaults, which is easier to audit over time. .github/workflows/ci-gate.yml:L8-L22, .github/workflows/notebooks.yml:L23-L70, .github/workflows/rust-test.yml:L22-L193. (docs.github.com) Concrete fix: none.

Tech Debt

  • Severity: P3 informational. Impact: no new technical debt is introduced; the only related open item in scope is already tracked in TODO.md:L119-L119. Concrete fix: none.

Security

  • No findings. Severity: none. Impact: no security regression identified. ci-gate no longer receives a token it does not use, and the checkout-based workflows request only contents: read, which is the documented least-privilege baseline for actions/checkout. .github/workflows/ci-gate.yml:L8-L22, .github/workflows/notebooks.yml:L23-L70, .github/workflows/rust-test.yml:L22-L193. (docs.github.com) Concrete fix: none.

Documentation/Tests

  • No findings. Severity: none. Impact: no methodology docs or estimator tests are required for a CI-only change; static YAML validation is appropriate for this scope, with the normal caveat that GitHub-hosted runtime behavior was not executed in this local review. Concrete fix: none.

@igerber igerber added the ready-for-ci Triggers CI test workflows label Apr 25, 2026
@igerber igerber merged commit 3897cdb into main Apr 25, 2026
26 of 27 checks passed
@igerber igerber deleted the gh-hardening branch April 25, 2026 22:27
@igerber igerber mentioned this pull request Apr 26, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ready-for-ci Triggers CI test workflows

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@igerber